{ "threat_severity" : "Moderate", "public_date" : "2024-10-21T00:00:00Z", "bugzilla" : { "description" : "kernel: net: tun: Fix use-after-free in tun_detach()", "id" : "2320670", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2320670" }, "cvss3" : { "cvss3_base_score" : "6.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: tun: Fix use-after-free in tun_detach()\nsyzbot reported use-after-free in tun_detach() [1]. This causes call\ntrace like below:\n==================================================================\nBUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75\nRead of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673\nCPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:284 [inline]\nprint_report+0x15e/0x461 mm/kasan/report.c:395\nkasan_report+0xbf/0x1f0 mm/kasan/report.c:495\nnotifier_call_chain+0x1ee/0x200 kernel/notifier.c:75\ncall_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942\ncall_netdevice_notifiers_extack net/core/dev.c:1983 [inline]\ncall_netdevice_notifiers net/core/dev.c:1997 [inline]\nnetdev_wait_allrefs_any net/core/dev.c:10237 [inline]\nnetdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351\ntun_detach drivers/net/tun.c:704 [inline]\ntun_chr_close+0xe4/0x190 drivers/net/tun.c:3467\n__fput+0x27c/0xa90 fs/file_table.c:320\ntask_work_run+0x16f/0x270 kernel/task_work.c:179\nexit_task_work include/linux/task_work.h:38 [inline]\ndo_exit+0xb3d/0x2a30 kernel/exit.c:820\ndo_group_exit+0xd4/0x2a0 kernel/exit.c:950\nget_signal+0x21b1/0x2440 kernel/signal.c:2858\narch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869\nexit_to_user_mode_loop kernel/entry/common.c:168 [inline]\nexit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203\n__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\nsyscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296\ndo_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nThe cause of the issue is that sock_put() from __tun_detach() drops\nlast reference count for struct net, and then notifier_call_chain()\nfrom netdev_state_change() accesses that struct net.\nThis patch fixes the issue by calling sock_put() from tun_detach()\nafter all necessary accesses for the struct net has done." ], "statement" : "This issue is considered to be a moderate impact flaw, as the exploitation for this will need an ADMIN (or ROOT) privilege (PR:H) in drivers/net/tun.c.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49014\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49014\nhttps://lore.kernel.org/linux-cve-announce/2024102153-CVE-2022-49014-1627@gregkh/T" ], "name" : "CVE-2022-49014", "csaw" : false }